Restricting Access By IP Address
Overview
Access to two different parts of Relevant can be restricted based on the user’s IP address. These two lists of allowed IP addresses are maintained separately.
IP addresses for PHI access in Relevant’s web application
For users accessing Relevant’s web application, access to pages with Protected Health Information (PHI) can be restricted by IP address. This is an optional feature, which health centers may or may not wish to use based on their specific needs. Although your context may dictate otherwise, Relevant generally recommends using the PHI IP allowlist for an improved security and compliance posture.
When IP restrictions are enabled, users at the health center (typically, an IT admin) can add, remove, or edit the list of allowed IP addresses as needed. Read more about managing access to PHI in Relevant’s web application.
Note: IP address restrictions do not apply when users log into Relevant via single sign-on (SSO). This applies to health center staff using Microsoft Entra SSO, as well as to Relevant employees, who log in via Google SSO.
IP addresses for Data Warehouse Access
For users who are connecting external tools directly to Relevant’s data warehouse, access must be restricted to a specific set of allowed IP addresses. Contact Relevant support to add or remove IP addresses from this list.
Working from home
Some users of Relevant work from home on a regular basis. How should they access Relevant, if IP-based restrictions are in place? There are several options. Choosing among them is a collaborative decision, typically made by the health center’s IT leadership and the health center’s Relevant project lead.
Option 1: VPN . The health center’s IT department can provide a VPN connection for remote employees. When the user connects to the VPN, internet traffic is routed through one of the health center’s “gateway” IP address, which can be added to the IP address allowlist for Relevant application access and/or the IP address allowlist for Relevant Data Warehouse access.
Option 2: Remote Desktop. Instead of accessing Relevant’s web application or Relevant’s Data Warehouse directly, remote users can use Remote Desktop (or a similar technology) to “remote in” to a workstation that resides inside the health center’s network perimeter.
Option 3: Allow Home IP Addresses. You can also choose to add the home IP addresses of remote employees to the allowlist for Relevant application access and/or the allowlist for Relevant Data Warehouse access. Often, this provides the most convenient and seamless experience for users. However, there are also some downsides to be aware of:
- Home IP addresses are typically dynamic, meaning they can be reassigned by the user’s internet service provider (ISP; e.g. Comcast or Verizon) at any time. Sometimes a home IP address will be stable for a year; other times it might change after two weeks. Most often, it changes when something “happens” and the home internet configuration gets reset—for example, if a router gets unplugged and then plugged back in.
- When a home IP address changes, the user’s connection to Relevant will break. The user’s new IP address will then need to be added to the allowlist for Relevant application access and/or the allowlist for Relevant Data Warehouse access. The user’s old IP address should also be removed from the allowlist(s), since the ISP will ultimately reassign that IP address to another user who has no relation to your health center.
Option 4: Exempt specific users from IP Address restrictions (Relevant application access only). Admins can use the PHI Access Settings page to grant an exemption to the IP-based restriction for specific users. For details, see Managing access to PHI in Relevant’s web application. (Note: this solution does not apply to Data Warehouse access.)